If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Weird FTP Attempts Log File

Hi All,

Today I checked the FTP log file for my web site, and I was surprised to find a lot of attempts to login to my site's FTP. A lot of the attempts were anonymous attempts, but some were strange login names. I'm wondering why people were trying to login with these names. This FTP is exclusive to me, and it has not been given out to anyone, so it is obviously someone or some group of people trying to attempt unauthorized access. I did some research on the IP Addresses the attempts were coming from, and to my surprise they are from China. So I have come to the conclusion that this could be three things.

1) Someone who has the wrong IP Address (mine) for their FTP.
2) Someone from China trying to get into my system
3) Someone using a proxy in China to get into my system.

Can anyone shed some light on why these strange user names are being tried? Names such as:

I'm not really paranoid about someone getting in. I'm just wondering what is up with the weird names they try to log in with. Maybe there are some vulnerabilities for some OS's that use those login names, or maybe vulnerabilities for some FTP servers out there that use those names. I don't know. Any ideas?

The log file looks to me like people are out there looking for an anonymous FTP server...

The most obvious reason why they would be looking at your server, especially if it has anonymous enabled, is to turn it into a WAREZ site...It could be possible that someone somwhere has posted your site as 'tagged' on the WAREZ lists...

Just a thought...

Neb

There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

Originally posted here by nebulus200 The log file looks to me like people are out there looking for an anonymous FTP server...

The most obvious reason why they would be looking at your server, especially if it has anonymous enabled, is to turn it into a WAREZ site...It could be possible that someone somwhere has posted your site as 'tagged' on the WAREZ lists...

Hmm... I'm not sure what you mean by tagged. Is that meaning that someone might have found something and listed my site as vulnerable?

Not vulnerable, just means that someone has found it is possible to upload files and has uploaded whatever program they were wanting to spread around and then advertised it as such...

Just have a look under your FTP root for odd named directories/files, look for 'tagged by' etc, if that happened, you will see alot of directories that end in spaces (very hard to see from windows). Do you have anonymous FTP turned on ?

There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

Does the IEUser@ bit mean that they entered "ftp://<site>" in the Internet Explorer navigation bar?
I wouldn't worry too much, unless they were trying to DoS you, this method of attack is hardly a threat...

i think that if someone were trying to bruitforce in there would be more random characters passwords and if ther were trying a dictionary attack they would be more sequential, if they know who you are they could be trying a specified password list of likely passwords..... do any of these passwords mean anything to you?

also the hotmail email address....... alot of FTP servers ask for a valid email address as a password for any kind of guest account....... might wanna try that email address given to you. and to hope that hotmail dosnt filter it out with its nice little filters.....

id say that you have no problem unless it does contiue. it also looks like there on a standard dialup connection cause the connection would be faster if they had a faster connection...... so if you start getting over 20-30 atempts per minute, id say that IF this is actualy someone trying to get in, its probly just a lamer trying out what he read in some 20 year old text file

Yea, I'm not worried, just curious to why all of a sudden all these FTP attempts have started. I started blocking the IP Addresses, just because I'm tired of seeing all the login attempts. I double checked all my web sites that I host and made sure that anonymous access is disabled. Which actually brings up another question that maybe someone could help me out with. When you create a new FTP in IIS on Windows 2000 Server anonymous access is automatically enabled. Figures....

Does anyone know if there is a registry hack or a setting that will stop that from being automatically enabled? I don't want to take the chance of forgetting to disable it when adding new FTPs.

Originally posted here by LoggOff i think that if someone were trying to bruitforce in there would be more random characters passwords and if ther were trying a dictionary attack they would be more sequential, if they know who you are they could be trying a specified password list of likely passwords..... do any of these passwords mean anything to you?

also the hotmail email address....... alot of FTP servers ask for a valid email address as a password for any kind of guest account....... might wanna try that email address given to you. and to hope that hotmail dosnt filter it out with its nice little filters.....

id say that you have no problem unless it does contiue. it also looks like there on a standard dialup connection cause the connection would be faster if they had a faster connection...... so if you start getting over 20-30 atempts per minute, id say that IF this is actualy someone trying to get in, its probly just a lamer trying out what he read in some 20 year old text file

jethro > yes, most likely

Thanks... The words they are trying mean nothing to me, and like you said the attempts aren't coming in 30 at a time so it doesn't look like it is a brute force type thing. That confuses me even more though. I mean why the hell would someone try the user name: "spring" for absolutely no reason. Very strange.

Also... There are so many anonymous access attempts from so many different IP addresses. I am wondering where these people are getting my IP from. I thought that maybe they are just running scanners that try anonymous access on a whole IP block, but none of my other FTPs on the same block are showing any anonymous attempts.

If you had the anonymous FTP on for a while, you probably drew the attention of a few WAREZ folks, as more and more people hit it and find it is no longer there anymore and is invalid, the number of those attempts will eventually go down to 0...

Any time you setup a service, ESPECIALLY a micro$oft one (because they love to do very insecure things by default), you should have a set of procedures that you go through to ensure that the configuration is as safe and tight as you can make it. It is something that you should get into the practice of, otherwise things could be alot worse than they were this time... It won't garuntee that you aren't hacked, but it will sure as hell make it more difficult...

There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.